secure_storage: add a ZMS-based implementation of the ITS store module #81235
Conversation
|
@tomi-font, |
|
@tomi-font I would advise on the following alternative approach:
The id's In the saving process the data is first written, then the metadata. In the reading process the metadata id's are searched for the correct psa_its_id, ... , a "reread" can be performed if needed (depending on the flags), followed by the read/validation of the data. At start any data that does not have a corresponding (or invalid) metadata can be removed. This approach is also applicable to nvs, allows simultaneous use of nvs/... for secure storage, settings and other data storage (e.g when |
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
2 times, most recently
from
e778058 to
fb58bc3
Compare
Good point. I was thinking about how to handle potential conflicts, but I think that I will just remove the possibility to use
This makes no sense.
No it's not. And related to that, I will address the topic of UID assignment (for secure storage) in a follow-up PR.
I don't want to reinvent the storage wheel, plus I don't see the advantage in what you're proposing. Might as well just use the settings-based implementation. |
Ok if you think they are a good fit.
No need to address this in a follow-up PR, do it now before it gets used.
There are already users that are using the NVS backend for both settings and data storage, the allocation of ID ranges could be formalized. If on the other hand it is needed that the secure storage has its own backend (as implied by the PR), a slightly modified copy of the flash backend used in tf-m would be more appropriate. If the settings-based implementation fits the need, why propose a different alternative? |
What I am talking about is not specific to what is added in this PR. It's about the PSA Secure Storage API overall. And the rationale for not including it as part of this PR is to keep the scope of a PR focused on one topic.
I agree that it could and even should be formalized.
No, it's not needed. This PR is just to allow direct use of a partition for more control and efficiency of the storage. For the majority of cases it will actually still default to using settings because |
If it is worth using a partition for more control and efficiency of storage it would be good to target as much users as possible. NVS is still much broader used (it is more efficient for most users) and has a large install base. It doesn't seem a good choice to leave these users without a possible more efficient storage solution. Splitting up the storage into metadata (uid, caller uid, flags, (optional) nonce, (optional) tag) and the data itself would give the following advantages:
|
I'm not a fan of the suggestions. Plus they're just notices. (And have sparked some debate on Discord.) They can be hidden with the |
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
fb58bc3 to
34ddbcf
Compare
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
4 times, most recently
from
fcb9c32 to
ec6f856
Compare
| The sector size impacts the runtime behavior of ZMS and restricts the maximum | ||
| ITS entry data size (which is the sector size minus ZMS and ITS overhead). | ||
| Changing it will result in loss of existing data stored on a partition. | ||
| It must be a multiple of the flash page size. |
There was a problem hiding this comment.
only for a certain type of flash (that requires erase)
There was a problem hiding this comment.
only for a certain type of flash (that requires erase)
I would rather say "for devices that require erase". There are devices that have erase and have paging (only for that purpose) but you can just write them without explicitly erasing first and without loosing written data in process.
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
4e601e3 to
36429bb
Compare
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
2 times, most recently
from
d996816 to
e853d2f
Compare
It becomes the new default when the secure_storage_its_partition devicetree chosen property is defined as it is a preferred alternative. See the help message of the `CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS` Kconfig option for more information. Signed-off-by: Tomi Fontanilles <[email protected]>
Add a test scenario for the ITS store module implementation that uses ZMS for storage. Reorganize the others at the same time. Signed-off-by: Tomi Fontanilles <[email protected]>
Remove the hard restriction on CONFIG_SECURE_STORAGE_ITS_MAX_DATA_SIZE. SETTINGS_MAX_VAL_LEN is in practice not used by any settings backend implementation. Signed-off-by: Tomi Fontanilles <[email protected]>
Output a CMake error when the ITS store module is enabled but no implementation ended up enabled (due to unfulfilled prerequisites). This is to make it more clear than undefined references at link time. Not a fatal error because CMake cannot fail for the twister filtering to work on the tests. Signed-off-by: Tomi Fontanilles <[email protected]>
…tition Align with the behavior of the settings subsystem. Signed-off-by: Tomi Fontanilles <[email protected]>
Use %zu for size_t. Signed-off-by: Tomi Fontanilles <[email protected]>
Align the debug logging with that of the ZMS-based implementation. Signed-off-by: Tomi Fontanilles <[email protected]>
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
e853d2f to
28c984e
Compare
|
Rebased to fix a conflict in |
|
@Laczen Following the contribution process, I am dismissing your review as you have just nacked this PR on the premise that the implementation is not compliant with the specification, which is something that has already been discussed and approved in the security working group. Plus this subsystem is still new and experimental; improvements are to come which will make it more usable. |
|
@tomi-font, I will be short on this:
The responsability of the addition of this solution is entirely yours. I have given my feedback on the proposal as well as a means to remove its shortcomings. As a last remark I would advise you to modify the psa crypto test to also validate using a vendor key as this is the most basic requirement. |
fabiobaltieri
added
area: Input
fabiobaltieri
merged commit 23a6a78
into
zephyrproject-rtos:main
See the commit messages.
A follow-up PR will introduce the (static) allocation of
psa_storage_uid_tvalues for end users of the PSA Secure Storage API.